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Introduction 


Reactive  systems  have  an  ongoing  interaction  with  their  environment,  and 
their  computations  are  infinite  sequences  of  states.  A  large  number  of  sys¬ 
tems  can  be  seen  as  reactive  systems,  including  hardware,  concurrent  pro¬ 
grams,  network  protocols,  and  embedded  systems.  Temporal  logic  provides 
a  convenient  language  for  expressing  properties  of  reactive  systems.  A  tem¬ 
poral  verification  methodology  provides  procedures  for  proving  that  a  given 
system  satisfies  a  given  temporal  property. 

This  research  is  directed  towards  the  implementation  of  a  comprehen¬ 
sive  toolkit  for  the  development  and  verification  of  high  assurance  reactive 
systems,  especially  concurrent,  real-time,  and  hybrid  systems.  For  this,  we 
have  designed  and  implemented  the  STeP  (Stanford  Temporal  Prover)  ver¬ 
ification  system. 

STeP  is  a  tool  for  the  computer-aided  formal  verification  of  reactive 
systems,  including  real-time  and  hybrid  systems,  based  on  their  temporal 
specification.  STeP  integrates  model  checking  and  deductive  methods  to 
allow  the  verification  of  a  broad  class  of  systems,  including  parameterized 
(N-component)  circuit  designs,  parameterized  (iV-process)  programs,  and 
programs  with  infinite  data  domains. 

Figure  1  presents  an  outline  of  the  STeP  system.  The  main  inputs  are  a 
reactive  system  and  a  property  to  be  proven  for  it,  expressed  as  a  temporal 
logic  formula.  The  system  can  be  a  hardware  or  software  description,  and 
include  real-time  and  hybrid  components  (Section  2).  Verification  is  per¬ 
formed  by  model  checking  or  deductive  means  (Section  4),  or  a  combination 
of  the  two  (Section  5). 

2  Describing  Reactive  Systems 

The  various  systems  STeP  can  verify  differ  in  their  time  model — discrete, 
real-time,  or  hybrid — as  well  as  in  the  domain  of  their  state  variables,  which 
can  be  finite  or  infinite.  Furthermore,  systems  can  be  parameterized  in  the 
number  of  processes  that  compose  them  (iV-process  systems).  All  of  these 
systems  can  be  modeled,  however,  using  the  same  underlying  computational 
model:  (fair)  transition  systems  [MP95].  This  basic  model  is  extended  in 
appropriate  ways  to  allow  for  modular  structures,  hardware-specific  compo¬ 
nents,  clocks,  or  continuous  variables.  Figure  2  describes  the  scope  of  STeP, 
classified  along  these  three  main  dimensions. 
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Figure  1:  An  outline  of  the  STeP  system 

2.1  Transition  Systems 

The  basic  system  representation  in  STeP  uses  a  set  of  transitions.  Each  tran¬ 
sition  is  a  relation  over  unprimed  and  primed  system  variables,  expressing 
the  values  of  the  system  variables  at  the  current  and  next  state.  Transitions 
can  thus  be  represented  as  general  first-order  formulas,  though  more  spe¬ 
cialized  notations  for  guarded  commands  and  assignments  is  also  available. 
In  the  discrete  case,  transitions  can  be  labeled  as  just  or  compassionate ; 
such  fairness  constraints  are  relevant  to  the  proof  of  progress  properties  (see 
[MP95]). 

2.2  SPL  Programs 

For  convenience,  discrete  systems  can  be  described  in  the  Simple  Program¬ 
ming  Language  (SPL)  of  [MP95].  SPL  programs  are  automatically  trans¬ 
lated  into  the  corresponding  fair  transition  systems,  which  are  then  used  as 
the  basis  for  verification. 


5 


SCOPE 


Figure  2:  Scope  of  STeP 

2.3  Real-Time  Systems 

STeP  can  verify  properties  of  real-time  systems,  using  the  computational 
model  of  clocked  transition  systems  [MP96].  Clocked  transition  systems 
consist  of  standard  instantaneous  transitions  that  can  reset  auxiliary  clocks, 
and  a  progress  condition  that  limits  the  time  that  the  system  can  stay  in 
a  particular  discrete  state.  Clocked  transition  systems  are  converted  into 
discrete  transition  systems  by  including  a  tick  transition  that  advances  time, 
constrained  by  the  progress  condition.  The  tick  transition  is  parameterized 
by  a  positive  real-valued  duration  of  the  time  step. 

Temporal  logic  properties  can  refer  to  the  global  clock,  and  the  auxiliary 
ones,  to  specify  real-time  properties;  the  underlying  temporal  logic  remains 
the  same.  Since  the  transition  system  framework  is  also  retained  by  rep¬ 
resenting  tick  as  a  discrete  parameterized  transition  of  the  time-step,  this 
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representation  allows  STeP  to  reuse  existing  verification  rules  for  untimed 
temporal  logic  can  be  reused  for  [KMP96]. 

2.4  Hybrid  Systems 

Hybrid  transition  systems  generalize  clocked  transition  systems,  by  allow¬ 
ing  real-valued  variables  other  than  clocks  to  vary  continuously  over  time. 
The  evolution  of  continuous  variables  is  described  by  a  set  of  constraints, 
which  can  be  sets  of  differential  equations  or  differential  inclusions.  Similar 
to  clocked  transition  systems,  hybrid  transition  systems  are  converted  into 
discrete  transition  systems  by  including  a  tick  transition,  parameterized  by 
the  duration  of  the  time  step.  However,  for  hybrid  systems  the  tick  transi¬ 
tion  must  not  only  update  the  values  of  the  clocks,  which  is  straightforward, 
but  must  also  determine  the  value  of  the  continuous  variables  at  the  end  of 
the  time  step.  The  updated  value  of  the  continuous  variables  is  represented 
symbolically;  axioms  and  invariants,  generated  based  on  the  constraints,  are 
used  to  determine  the  actual  value  or  the  range  of  values  at  the  time  they 
are  needed. 

Other  formalisms  such  as  timed  transition  systems,  timed  automata  and 
hybrid  automata  can  be  easily  translated  into  hybrid  and  clocked  transition 
systems  [MP96].  Furthermore,  the  transition  system  representation  allows 
discrete  variables  that  range  over  infinite-domains,  as  opposed  to  automata- 
based  formalisms  where  the  domain  of  discrete  variables  must  be  finite-state. 

2.5  Modularity 

Complex  systems  are  built  from  smaller  components.  Most  modern  pro¬ 
gramming  languages  and  hardware  description  languages  therefore  provide 
the  concept  of  modularity.  STeP  includes  facilities  for  modular  specification 
and  verification  [FMS98],  based  on  modular  transition  systems ,  which  can 
concisely  describe  complex  transition  systems.  Each  module  has  an  inter¬ 
face  that  determines  the  observability  of  module  variables  and  transitions. 
The  interface  may  also  include  an  environment  assumption ,  a  relation  over 
primed  and  unprimed  interface  variables  that  limits  the  possible  environ¬ 
ments  the  module  can  be  placed  in.  The  module  can  only  be  composed  with 
other  modules  that  satisfy  the  environment  assumption.  Communication  be¬ 
tween  a  module  and  its  environment  can  be  asynchronous,  through  shared 
variables,  and  synchronous,  through  synchronization  of  labeled  transitions. 

More  complex  modules  can  be  constructed  from  simpler  ones  by  pos¬ 
sibly  recursive  module  expressions,  allowing  the  description  of  hierarchical 
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systems  of  unbounded  depth.  Module  expressions  can  refer  to  modules  de¬ 
fined  earlier,  or  instances  of  parameterized  modules,  enabling  the  reuse  of 
code  and  of  properties  proven  about  these  modules.  Besides  the  usual  hid¬ 
ing  and  renaming  operations,  the  language  provides  a  construct  to  augment 
the  interface  with  new  variables  that  provide  a  summary  value  of  multiple 
variables  within  the  module.  Symmetrically,  a  restriction  operation  allows 
the  module  environment  to  combine  or  rearrange  the  variables  it  presents 
to  the  module. 

Real-time  and  hybrid  systems:  Real-time  and  hybrid  systems  can  also 
be  described  as  modular  systems;  discrete,  real-time  and  hybrid  modules 
may  be  combined  into  one  system.  The  evolution  constraints  of  hybrid 
modules  may  refer  to  continuous  variables  of  other  modules,  thus  enabling 
the  decomposition  of  systems  into  smaller  modules.  To  enable  proofs  of 
nontrivial  properties  over  such  modules,  we  allow  arbitrary  constraints  on 
these  external  continuous  variables  in  the  environment  assumption. 

2.6  Hardware  Description 

A  Verilog  hardware  description  language  front-end  has  recently  been  added 
to  STeP.  Its  main  component  is  a  compiler  that  takes  Verilog  input  and 
produces  a  fair  transition  system,  which  can  then  be  analyzed  using  the 
deductive  and  algorithmic  tools  of  STeP. 

The  goal  of  this  compiler  is  to  produce  a  faithful  representation  of  the 
input  program,  taking  into  account  the  delays  and  events  that  are  part  of  the 
Verilog  semantics.  The  compiler  extends  the  Verilog  language  by  allowing 
parameters  to  be  left  unspecified.  These  parameters  can  be  used  to  declare 
bit  vectors  of  arbitrary  size,  or  to  compose  an  array  of  lower-level  modules. 
These  features  cater  to  the  deductive  component  of  STeP,  which  can  verify 
properties  of  general  infinite-state  systems. 

3  Verification  Methodology 

STeP  is  best  viewed  as  providing  a  toolkit  of  verification  methods  based  on 
a  common  system  description  language  and  specification  language.  A  given 
system  can  be  analyzed  in  a  number  of  ways.  Depending  on  the  system  and 
property  to  be  proved,  different  tools  will  be  applicable  or  more  appropriate: 

Model  Checking:  If  the  system  is  finite-state,  arbitrary  temporal  prop¬ 
erties  can  be  automatically  established  or  refuted,  using  explicit-state  or 
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symbolic  model  checking  (Section  4.3).  Symbolic  model  checking  is  appli¬ 
cable  only  if  all  variables  have  finite-domain.  Some  classes  of  infinite-state 
systems  can  be  checked  with  the  explicit-state  model  checker,  which  is  not 
guaranteed  to  terminate  in  this  case.  For  parameterized  and  infinite-state 
systems,  finite-state  instances  of  the  system  can  be  model  checked  to  quickly 
search  for  bugs. 

Invariant  Generation:  For  most  deductive  verification  proofs,  system 
invariants  of  increasing  strength  must  be  collected,  where  previous  invariants 
are  used  to  establish  subsequent  ones.  Automatic  invariant  generation  is 
used  to  establish  a  basic  initial  set  of  invariants  (Section  5.1). 

Verification  Rules:  To  prove  simple  safety  properties,  deductive  rules  can 
be  used,  with  the  user  providing  adequate  strengthenings  (intermediate  as¬ 
sertions)  where  necessary  (Section  4.2).  Previously  established  invariants  are 
used  to  prove  the  required  verification  conditions,  which  are  automatically 
generated  by  the  system. 

Verification  Diagrams:  A  verification  diagram  can  be  provided  by  the 
user,  as  a  system  abstraction  that  proves  a  particular  property  in  question. 
Verification  conditions  justify  the  correctness  of  the  diagram,  while  an  algo¬ 
rithmic  procedure  checks  that  the  diagram,  indeed,  proves  the  property  at 
hand  (Sect.  5.3). 

Abstraction:  A  finite-state  abstraction  of  the  system  can  be  generated, 
such  that  properties  model  checked  for  the  abstract  system  will  hold  of 
the  original  system  as  well  (Sect.  5.4).  Since  the  abstraction  is  finite-state, 
it  can  be  model  checked.  Available  invariants  improve  the  quality  of  the 
abstraction,  allowing  more  properties  to  be  proved. 

4  Deductive  Verification  and  Model  Checking 

STeP  provides  a  comprehensive,  integrated  environment  to  prove  tempo¬ 
ral  properties  over  reactive  systems.  The  STeP  Session  Editor,  presented  in 
Figure  3,  keeps  track  of  the  main  properties  of  interest  throughout  the  verifi¬ 
cation  session,  including  axioms,  assumptions,  previously  proven  properties, 
and  automatically  generated  invariants,  as  well  as  the  module  to  which  each 
applies.  Thus,  it  can  handle  multiple  systems  and  proofs  simultaneously. 
Properties  can  be  activated  or  deactivated  to  control  the  extent  of  their  use 
in  automatic  theorem-proving. 
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Figure  3:  STeP  Session  Editor 


4.1  Property  Specification:  Linear-Time  Temporal  Logic 

We  use  linear-time  temporal  logic  (LTL)  to  represent  properties  of  reactive 
systems  [MP95].  A  model  of  LTL  is  an  infinite  sequence  of  states.  We 
use  the  usual  temporal  operators,  such  as  Dp  ( p  is  always  true),  Op  (p  is 
eventually  true),  pUq  (p  is  true  until  q  is  true,  which  eventually  happens), 
and  p  W  q  (p  awaits  q — p  is  true  at  least  until  q  is  true,  but  q  need  not 
eventually  happen). 

We  distinguish  between  safety  and  progress  properties.  Informally,  safety 
properties  say  that  certain  “bad  states”  will  never  be  reached,  e.g.  as  in  an 
invariance  Dp  for  an  assertion  p. 

Progress  properties,  on  the  other  hand,  can  say  that  “good”  states  will 
eventually  be  reached  (perhaps  recurrently).  Safety  properties  do  not  de¬ 
pend  on  the  fairness  constraints  of  the  system,  whereas  progress  properties 
require  the  justice  or  compassion  of  particular  transitions  in  order  to  be 
proved. 

To  specify  properties  of  real-time  and  hybrid  systems,  temporal-logic 
properties  can  refer  to  the  global  and  auxiliary  clocks,  and  to  the  continuous 
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Figure  4:  STeP  Proof  Editor 

variables;  the  underlying  temporal  logic  remains  the  same. 

4.2  Deductive  Verification 

The  deductive  methods  of  STeP  verify  temporal  properties  of  systems  by 
means  of  verification  rules  and  verification  diagrams.  Verification  rules  re¬ 
duce  temporal  properties  of  systems  to  first-order  verification  conditions 
[MP95].  Verification  diagrams  [MP94]  provide  a  visual  language  for  guid¬ 
ing,  organizing,  and  displaying  proofs,  and  automatically  generating  the 
appropriate  verification  conditions  as  well  (see  Section  5.3). 

As  clocked  and  hybrid  transition  systems  are  converted  into  fair  tran¬ 
sition  systems,  verification  rules  and  diagrams  are  uniformly  applicable  to 
discrete,  real-time  and  hybrid  systems.  However,  due  to  the  parameteriza¬ 
tion  of  the  tick  transition,  the  resulting  verification  conditions  for  real-time 
and  hybrid  systems  are  usually  more  complex  than  those  for  (unparameter¬ 
ized)  discrete  systems. 

Figure  4  shows  the  STeP  Proof  Editor,  which  is  used  to  apply  the  basic 
deductive  temporal  verification  rules  as  well  as  the  Gentzen-style  interactive 
theorem  proving  rules.  In  a  typical  deductive  verification  effort,  the  top-level 
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goal  is  a  temporal  formula  to  be  proven  valid  for  a  given  system.  Verification 
rules  or  diagrams  are  used  to  generate  verification  conditions,  as  subgoals, 
which  together  imply  the  system  validity  of  the  original  temporal  property. 
These  subgoals  are  then  established  automatically  using  decision  procedures 
(Section  5.2)  or  interactively  using  the  Gentzen-style  rules.  Model  checking 
is  also  initiated  by  the  Proof  Editor. 

4.3  Model  Checking 

STeP  features  automatic  explicit-state  and  symbolic  model  checking  for 
linear-time  temporal  logic.  The  explicit- state  model  checker  performs  an 
incremental  (depth-first)  search  of  the  state-space,  directed  by  the  tempo¬ 
ral  tableau  (automaton)  for  the  negated  specification.  Thus,  only  those 
states  that  can  potentially  violate  the  specification  are  visited.  This  enables 
the  use  of  the  explicit-state  model  checker  on  some  infinite-state  systems, 
though  it  is  not  guaranteed  to  terminate  for  these  systems.  The  symbolic 
model  checker  uses  a  breadth-first  search  through  sets  of  states  represented 
by  ordered  binary  decision  diagrams  (OBDDs).  Thus,  it  is  limited  to  finite- 
state  systems,  whose  variables  range  over  a  fixed,  finite  number  of  values. 

When  transitions  can  be  expressed  as  guarded  commands  (i.e.,  the  sys¬ 
tem  is  a  set  of  deterministic  actions),  symbolic  model  checking  is  optimized 
using  techniques  for  computing  predecessor  states  without  computing  the 
entire  transition  relation.  A  specialized  backwards  search  for  proving  invari¬ 
ants  is  also  available.  The  set  of  states  visited  in  the  backwards  search  is 
constrained  by  auxiliary  invariants,  which  may  have  been  formulated  and 
verified  before,  or  generated  automatically  (see  Section  5.1). 

The  symbolic  and  explicit-state  model  checkers  complement  each  other. 
Although  limited  to  finite-state  systems,  the  symbolic  model  checker  can  be 
considerably  more  efficient,  particularly  when  the  state-space  is  large  and 
the  transition  relation  and  fixed  points  are  amenable  to  representation  by 
OBDD’s  [McM93].  On  the  other  hand,  the  explicit-state  model  checker  is 
often  faster  on  systems  with  relatively  few  reachable  states. 

4.4  Modular  Verification 

Different  components  of  a  large  system  may  require  the  application  of  differ¬ 
ent  verification  methodologies,  depending  on  their  specific  type  (real-time 
or  discrete,  finite-  or  infinite-state).  Using  the  notion  of  modular  validity, 
modular  properties  can  be  established  by  the  same  set  of  methods  as  global 
properties,  accounting  for  environment  transitions.  Automatic  property  in- 
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heritance  then  ensures  that  such  properties  can  be  used  as  lemmas  in  proofs 
over  composite  modules.  In  the  case  of  recursively  defined  systems,  proper¬ 
ties  can  be  established  by  structural  induction. 

Many  properties  are  not  directly  guaranteed  by  a  module,  but  hold  only 
under  certain  assumptions.  STeP’s  proof  management  allows  assumptions 
to  be  used  before  their  proof  is  available,  checking  the  resulting  dependency 
diagram  to  avoid  unsound  circular  reasoning.  Assumptions  about  the  envi¬ 
ronment  can  be  made  when  proving  a  modular  property,  and  subsequently 
discharged  when  the  module  is  composed  with  another.  The  search  for  ap¬ 
propriate  assumptions  can  be  guided  by  constructing  verification  diagrams 
for  each  module  and  attempting  to  prove  the  associated  verification  condi¬ 
tions  [FMS98,  MCF+98]. 

5  Combining  Deductive  and  Algorithmic  Methods 

STeP  includes  formalisms  that  combine  deductive  and  algorithmic  verifica¬ 
tion  in  a  number  of  different  ways,  which  differ  in  the  degree  and  type  of 
intervention  that  is  required  from  the  user. 

Besides  model  checking,  described  in  Section  4.3,  STeP  provides  two  ba¬ 
sic  automatic  tools  that  support  deductive  and  deductive-algorithmic  veri¬ 
fication:  automatic  invariant  generation  and  decision  procedures.  Both  are 
used  extensively  in  the  combinations  of  deductive  and  algorithmic  verifica¬ 
tion  presented  in  Sections  5.3  and  5.4. 

5.1  Automatic  Invariant  Generation 

Deductive  verification  is  usually  an  incremental  process:  simple  properties 
of  the  system  being  verified  are  proved  first  and  then  used  to  help  establish 
more  complex  ones.  STeP  implements  techniques  for  the  automatic  genera¬ 
tion  of  invariants ,  as  described  in  [BBM97].  Invariant  generation  is  based 
on  approximate  propagation,  starting  from  the  set  of  initial  states,  through 
the  state-space  of  the  system  until  a  fixpoint  is  reached,  based  on  the  frame¬ 
work  of  abstract  interpretation  [CC77].  Depending  on  the  approximation 
method  used,  different  types  of  invariants  can  be  generated: 

•  Local  invariants  result  from  analyzing  the  possible  values  of  individual 
variables,  as  well  as  the  relation  between  control  locations  and  data 
values. 

•  Linear  invariants  express  linear  relationships  between  system  vari¬ 
ables. 
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•  Polyhedral  invariants  generalize  linear  invariants,  expressing  polyhe¬ 
dral  constraints  over  sets  of  system  variables. 

These  invariant  generation  methods  are  now  being  specialized  to  the 
case  of  real-time  and  hybrid  systems  [MS98].  Invariant  generation  can 
also  be  used  for  the  modular  verification  of  real-time  systems,  as  shown 
in  [BMSU98]. 

For  real-time  and  hybrid  systems  STeP  provides  an  alternative  technique 
of  invariant  generation,  also  based  on  forward  propagation  of  system  behav¬ 
ior  through  the  state  space,  but  now  starting  from  the  entire  state  space 
[BMSU98].  In  this  case  every  propagation  step  leads  to  an  invariant;  no 
fixpoint  needs  to  be  computed.  For  hybrid  systems  these  techniques  have 
been  further  optimized  to  take  advantage  of  the  structure  of  the  constraints, 
resulting  in  stronger  invariants.  In  [MS98]  we  show  an  example  where  the 
invariants  thus  generated  are  sufficiently  strong  to  prove  the  main  property 
of  interest. 

5.2  Decision  Procedures 

The  verification  conditions  generated  in  deductive  verification  refer  to  the 
domain  of  computation  of  the  system  being  verified.  To  establish  verifica¬ 
tion  conditions  in  the  most  automatic  and  efficient  manner,  STeP  includes 
decision  procedures  for  a  number  of  theories  frequently  used  in  computation 
domains,  and  thus  common  in  formal  verification  [Bj098]. 

The  basic  integration  of  decision  procedures  is  a  variant  of  Shostak’s  con¬ 
gruence  closure-based  algorithm  [Sho84,  CLS96,  Bjp98].  At  the  top-level, 
an  algorithm  based  on  congruence  closure  propagates  equality  constraints 
through  function  symbols.  It  invokes  the  other  decision  procedures  as  aux¬ 
iliary  simplifiers  and  solvers.  The  theories  supported  in  this  way  include: 

•  Partial  orders.  Beyond  basic  equality,  partial  orders  are  a  more  ex¬ 
pressive  constraint  language  to  specify  relations  between  variables. 

•  Linear  and  non-linear  arithmetic.  STeP  provides  Fourier’s  quantifier 
elimination  procedure  to  deal  with  formulas  involving  linear  arith¬ 
metic;  this  procedure  also  extracts  implied  equalities. 

Some  systems,  including  most  hybrid  systems,  require  reasoning  about 
formulas  featuring  multiplication  and  division.  Formulas  involving 
some  use  of  multiplication  and  division  however  arise  naturally  from 
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even  simple  hybrid  systems.  For  instance 


/  a/v  1  +  a  •  2/vr  <  £2  +  i/v  1  +  i  *  2/ur 
y  A  tT>0Aiv>0Ap>2  A  p  <  a 


p/vr  <  X2  +  i/vr 


was  encountered  during  verification  of  a  symbolic  temperature  con¬ 
troller  [MS98],  STeP  therefore  includes  basic  techniques  for  eliminat¬ 
ing  first-  and  second-degree  variables  as  described  in  [Wei97].  Ag¬ 
gressive  use  of  abstract  interpretation  techniques  based  on  sign  at¬ 
tributes  keeps  the  search  space  manageable.  For  instance  in  the  exam¬ 
ple  above,  the  information  vr  >  0  is  used  to  simplify  p/vr  <  X2  +  i/vr 
to  p  <  X2  -vr  +i.  Asserted  and  implied  equalities  are  used  to  eliminate 
variables  by  rewriting  equalities  into  the  form  x  =  t,  where  x  does  not 
occur  in  t ,  and  applying  the  substitution  [x  t]  to  the  constraints. 
The  equality  x  =  t  is  also  passed  to  the  congruence  closure  which  uses 
it  for  simplifying  complex  (non-arithmetical)  terms  containing  x. 


•  Bit-vectors.  Reasoning  about  bit-vectors  is  essential  for  hardware  ver¬ 
ification.  STeP  includes  decision  procedures  for  fixed-size  bit-vectors 
with  boolean  bitwise  operations  and  concatenation,  and  for  non-fixed 
size  bit- vectors  with  concatenation.  These  procedures  are  described  in 
[BP98]. 

•  Lists ,  queues ,  and  word  decision  procedures.  Lists  and  queues  are  com¬ 
mon  data  structures,  especially  in  systems  using  abstract  datatypes 
or  asynchronous  channels.  Both  lists  and  queues  can  be  viewed  as 
special  cases  of  words,  with  concatenation  being  the  basic  operation. 
Although  the  known  decision  procedures  for  word  equalities  have  pro¬ 
hibitive  complexity,  the  special  cases  of  lists  and  queues  can  be  solved 
efficiently. 


•  Recursive  data-types.  STeP  supports  equality  reasoning  for  general 
recursive  datatypes,  which  allow  the  specification  of  S-expressions  and 
other  tree-like  structures.  Enumeration  types  and  records  are  treated 
as  special  cases  of  recursive  datatypes. 

Co-inductive  data-types,  such  as  lazy  lists,  are  also  supported.  Both 
equality  constraints  and  subterm  relationships  are  supported  in  the 
integration  of  decision  procedures. 

Recursive  data-types  are  given  initial  term  algebra  semantics.  On  the 
other  hand,  co-recursive  data-types  contain  infinite  and  cyclic  terms. 
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•  Set  theory .  STeP  provides  basic  support  for  Multi-level  Syllogistic 
Set-theory  (MLSS)  [CF089,  CZ98].  MLSS  terms  range  over  sets, 
and  operations  include  union,  intersection,  set-difference,  and  finite 
set-enumeration.  Atomic  relations  include  set  equality,  inclusion  and 
membership. 

STeP  uses  decision  procedures  not  only  to  check  validity,  but  to  simplify 
formulas  as  well,  rewriting  them  to  smaller,  logically  equivalent  ones.  Effi¬ 
cient  formula  simplification  can  make  verification  conditions  more  readable 
and  manageable,  and  improves  the  efficiency  of  subsequent  validity  checking. 

The  above  decision  procedures  check  validity  of  ground  formulas,  where 
no  first-order  quantification  is  present.  STeP  extends  this  combination  of 
ground  decision  procedures  to  include  theory-specific  unification  algorithms, 
which  find  quantifier  instantiations  needed  for  first-order  validity  check¬ 
ing  [BSU97]. 

As  mentioned  in  Section  4.2,  an  interactive  Gentzen-style  theorem  prover 
is  available  as  part  of  the  Proof  Editor  (Figure  4)  to  establish  verification 
conditions  that  are  not  proved  automatically. 

5.3  Generalized  Verification  Diagrams 

Generalized  verification  diagrams  [BMS95,  MBSU98]  are  an  extension  of 
verification  diagrams  that  allow  the  verification  of  arbitrary  temporal  prop¬ 
erties.  Like  temporal  formulas  and  cj-automata,  generalized  verification  dia¬ 
grams  have  an  associated  set  of  computations,  constrained  by  an  acceptance 
condition.  Diagrams  can  be  seen  as  intermediaries  between  the  system  and 
the  property  to  be  proven.  A  set  of  verification  conditions  is  proved,  de¬ 
ductively,  to  show  that  the  diagram  faithfully  represents  computations  of 
the  system:  initiality  and  consecution  conditions,  associated  with  individual 
nodes  of  the  diagram,  ensure  that  all  runs  of  the  system  have  correspond¬ 
ing  paths  of  the  diagram.  Acceptance  conditions,  based  on  well-founded 
orders,  prove  that  system  computations  fulfill  the  acceptance  requirements 
associated  with  the  diagram.  An  algorithmic  check  then  establishes  that 
the  diagram  corresponds  to  the  formula  being  proved.  Together,  these  two 
stages  show  that  all  computations  of  the  system  are  models  of  the  temporal 
property. 

The  STeP  Diagram  Editor,  shown  in  Figure  5,  allows  the  user  to  draw  a 
diagram  and  then  prove,  using  the  Proof  Editor,  the  associated  verification 
conditions.  In  STeP  2.0,  the  Diagram  Editor  and  the  Proof  Editor  axe  more 
tightly  coupled,  to  facilitate  the  incremental  development  of  diagrams.  The 


16 


Hte  Diagram  Drawing  Canvas  Transformations  Vkw  Undo  Holp 

flic . . . ;  •  Diagram  . •  ;  Canvas  .  view  :  :  undo  -  .  . 

D  H#  X  \Si..m  ♦  j  ®A10;III,0  ? 

Drawing  : . . ,  Transformation* .  . — - ~ —  -  D«t  ™i — — { 


Figure  5:  STeP  Diagram  Editor 


user  can  draw  an  initial  version  and  try  to  prove  the  associated  verification 
conditions.  If  they  fail,  the  user  can  make  local  corrections  to  the  diagram 
(or  discover  something  wrong  with  the  system)  and  attempt  the  proof  again. 

The  verification  conditions  are  local  to  the  diagram;  failed  verification 
conditions  point  to  missing  edges  or  nodes,  weak  assertions,  or  possible  bugs 
in  the  system.  Since  local  changes  to  a  diagram  do  not  affect  the  verification 
conditions  elsewhere,  much  of  the  work  from  the  previous  iteration  can  be 
saved.  Using  feedback  from  the  Proof  Editor,  the  Diagram  Editor  can  high¬ 
light  proved  and  unproved  edges  and  nodes  in  the  diagram,  helping  the  user 
correct  the  diagram.  A  change  to  the  diagram  automatically  invalidates  the 
verification  conditions  in  the  Proof  Editor  that  are  affected  by  the  change. 

Deductive  model  checking  [SUM99]  uses  diagrams  to  explore  and  refine 
the  state-space  of  possibly  infinite-state  systems,  searching  for  a  counterex¬ 
ample  computation  by  transforming  the  diagram.  The  STeP  Diagram  Editor 
supports  some  of  these  diagram  transformations  for  interactive  state-space 
exploration.  We  will  include  a  more  comprehensive  implementation  in  up¬ 
coming  releases. 

5.4  Constructing  Finite-State  Abstractions 

Temporal  properties  can  be  proved  for  a  complex  system  by  finding  a  sim¬ 
pler  abstract  system  such  that  if  the  abstract  system  satisfies  a  related  prop¬ 
erty,  then  the  original  concrete  system  satisfies  the  original  one  as  well.  If 
the  abstract  system  is  finite-state,  its  temporal  properties  can  be  estab¬ 
lished  automatically  using  a  model  checker.  We  have  developed  methods  for 
automatically  generating  finite-state  abstractions  of  possibly  infinite-state 
systems  [CU98,  Uri98],  using  the  decision  procedures  in  STeP  (Section  5.2). 

The  abstraction  algorithm  compositionally  abstracts  the  transitions  of 
the  system,  expressed  as  first-order  relations,  relative  to  a  given,  fixed  set 
of  assertions  which  define  the  abstract  state-space.  The  number  of  validity 
checks  is  proportional  to  the  size  of  the  system  description,  rather  than  the 
size  of  the  abstract  state-space. 

Once  the  finite-state  abstraction  is  generated,  it  can  be  model  checked, 
explicitly  or  symbolically  (see  Section  4.3).  The  generated  abstractions  are 
weakly  preserving  for  universal  (VCTL*)  temporal  properties,  including  LTL 
[DGG97].  This  means  that  validity  at  the  abstract  level  implies  the  validity 
of  the  original  property  over  the  concrete  system;  however,  if  the  abstract 
property  fails,  the  original  property  might  still  hold.  In  this  case,  we  say 
that  the  abstraction  was  not  fine  enough.  An  abstract  counterexample  can 
be  used,  manually,  to  determine  if  a  corresponding  concrete  counterexample 
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exists,  or  else  to  build  a  finer  abstraction. 


6  Applications 

6.1  Real-time  Systems 

In  [BMSU98],  we  present  a  modular  framework  for  proving  temporal  prop¬ 
erties  of  real-time  systems,  based  on  clocked  transition  systems  and  linear¬ 
time  temporal  logic.  We  show  how  deductive  verification  rules,  verification 
diagrams,  and  automatic  invariant  generation  can  be  used  to  establish  prop¬ 
erties  of  real-time  systems  in  this  framework.  We  also  discuss  global  and 
modular  proofs  of  the  branching-time  property  of  non-Zenoness.  As  an 
example,  we  present  the  mechanical  verification  of  the  generalized  railroad 
crossing  case  study  using  STeP. 

6.2  Fault-tolerant  Systems 

In  [BLM97],  a  parameterized  fault-tolerant  leader-election  algorithm  re¬ 
cently  proposed  in  [GM96]  is  modeled  and  verified  using  STeP.  Our  methods 
settle  the  general  iV-process  correctness  for  the  algorithm,  which  had  been 
previously  verified  only  for  N  =  3.  We  formulate  the  notion  of  Uniform 
Compassion  to  model  progress  in  faulty  systems  more  faithfully,  and  com¬ 
bine  it  with  the  more  standard  notions  of  fairness.  We  also  show  how  the 
correctness  proofs  generalize  to  different  channel  models  by  a  reduction  to 
a  simple  channel  model. 

6.3  Hybrid  Systems 

In  [MS98]  we  present  invariant  generation  methods  for  hybrid  systems,  and 
verify  a  simple  hybrid  water  level  controller  using  STeP.  In  [MCF+98],  we 
show  how  deductive  verification  tools,  and  the  combination  of  finite-state 
model  checking  and  abstraction,  allow  the  verification  of  infinite-state  sys¬ 
tems  featuring  data  types  commonly  used  in  software  specifications,  includ¬ 
ing  real-time  and  hybrid  systems. 

6.4  Case  Study:  Steam  boiler 

The  incorporation  of  modularity  and  abstraction  in  STeP  has  enabled  us 
to  analyze  much  larger  systems  than  was  previously  possible.  An  exam¬ 
ple  is  the  steam  boiler  case  study  [ABL96],  a  benchmark  for  specification 
and  verification  methods  for  hybrid  controlled  systems.  At  the  time  of  its 
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appearance  we  developed  a  comprehensive  model  of  this  system,  including 
both  the  plant  and  the  controller.  The  model  consisted  of  some  1000  lines 
of  SPL  code  and  contained  eight  parallel  processes.  However,  verification 
proved  impractical  and  further  analysis  was  suspended.  Recently  the  case 
study  was  revived.  The  system  was  rewritten  as  a  modular  transition  sys¬ 
tem  consisting  of  ten  modules  with  a  total  of  80  transitions,  18  real-valued 
variables  and  28  finite-domain  variables. 

Modularity  allowed  us  to  prove  properties  over  selected  subsystems  and 
inherit  them  for  the  full  system,  thus  reducing  the  number  of  verification 
conditions  to  be  proven.  In  some  cases,  involving  discrete  finite-state  mod¬ 
ules  only,  the  model  checker  could  be  applied,  making  the  verification  fully 
automatic.  In  our  previous  implementation  finite-state  components  could 
not  be  separated  from  the  infinite-state  ones,  and  thus  use  of  the  model 
checker  was  not  possible. 

Assertion-based  abstraction  (see  Section  5.4)  enabled  us  to  indirectly 
apply  the  model  checker  to  infinite-state  modules  as  well,  by  eliminating  the 
real-valued  variables.  The  relationships  between  the  relevant  real-valued 
variables  captured  by  a  small  set  of  assertions  were  sufficient  to  let  us  prove 
the  properties. 

A  more  detailed  description  of  the  case  study  is  given  in  [MCF+98]. 

6.5  Educational  Use 

STeP  has  been  used  on  several  occasions  for  teaching  a  graduate-level  in¬ 
troductory  course  on  temporal  verification  of  reactive  systems,  at  Stanford 
University  and  at  the  Technion  (Israel  Institute  of  Technology,  Haifa). 

STeP  is  freely  available  for  research  and  educational  use.  The  STeP 
manual  is  available  as  [BBC+95],  and  system  descriptions  are  provided  in 
[BBC+96,  MBB+99].  For  information  on  obtaining  STeP,  see  the  STeP  web 
pages  at: 


http :  //wwv-step .  Stanford .  edu/ 


7  Implementation 

The  parsing,  theorem-proving  and  invariant  generation  components  of  STeP 
are  implemented  in  Standard  ML  of  New  Jersey.  The  graphical  user  interface 
for  STeP  2.0  was  developed  in  Java.  The  Java  graphical  packages  and  the 
inheritance  features  of  the  language  are  well-suited  for  the  implementation 
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of  a  variety  of  visual  formalisms  with  common  features,  as  in  the  STeP 
Diagram  Editor. 

The  explicit-state  model  checker  is  implemented  in  C,  while  the  sym¬ 
bolic  model  checker  uses  ML  linked  together  with  external  OBDD  libraries, 
written  in  C.  Similarly,  the  polyhedral  invariant  generation  uses  external 
polyhedra  manipulation  routines,  implemented  in  C  [HP95]. 

7.1  Stand-alone  components 

Many  of  the  components  of  STeP  described  above  can  be  used  in  batch 
mode,  as  stand-alone  components,  including: 

•  the  parser/translator  from  SPL  into  fair  transition  systems  (Section  2) 

•  the  explicit-state  and  symbolic  model  checkers  (Section  4.3) 

•  the  linear,  local  and  polyhedral  invariant  generators  (Section  5.1) 

•  the  validity  checker  and  formula  simplifier  (Section  5.2) 

These  options  are  available  as  command-line  options  to  a  separate  executable 
binary  file. 

7.2  External  systems 

Verification  conditions  in  STeP  can  be  output  to  external  theorem  provers 
or  decision  procedures.  In  particular,  the  MONA  package  for  monadic  sec¬ 
ond  order  logic  can  be  used;  output  to  the  OTTER  and  Gandalf  resolution 
theorem  provers  is  also  provided.  STeP  interacts  with  these  provers  by  in¬ 
voking  them  in  the  background  and  digesting  their  output  to  check  if  the 
verification  conditions  have  been  discharged. 

7.3  Obtaining  STeP 

STeP  is  freely  available  for  research  and  educational  use.  It  has  been  down¬ 
loaded  by  more  than  180  registered  users  in  28  countries  around  the  world. 
For  more  information,  the  STeP  web  pages  at 

http : //www-step . Stanford . edu 
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